Relative values

Want the best security ROI? Update your Java

Lucy Carey

With concerns over security of the platform lingering, Microsoft report urges Java users to put updating to Java 8 at the forefront of their agenda.


It’s been said time and time again: if you want your Java
to remain untainted, make sure you’re using the freshest
version you can. This advice has been reiterated again by
Microsoft’s  Security
Intelligence Report volume 16 (SIRv16)
, which councils
that keeping Java bang up to date provides maximum ROI for the
security of your IT systems. According to the report, old Java
plug-ins especially are at risk of attacks from exploit toolkits,
and it’s a snap to hack into web pages using  outdated

An idiosyncrasy of these tricksy exploit kits is that
new vulnerabilities are constantly integrated and resolved
vulnerabilities are removed as
are released. While early
exploit kits tended to hone in on a wide range of
vulnerable products, in recent years, these malicious tools have
narrowed their focus to a few select targets. Writing on the

Microsoft Security Blog
, Tim Rains identifies five
key targets:

  • Adobe Flash

  • Adobe Reader

  • Microsoft Windows

  • Internet Explorer

  • Oracle Java

In general, report notes an overarching increase
in detected malware attacks worldwide: in 2013, 21.2% of computers
studied by experts were affected. The fourth quarter of 2013 was
particularly severe, with systems bombarded by a host of fiendish
new malware tactics – including special variants of
, and Brantall.
The Sefnit-Bot gives attackers a variety of attack options, and is
often used in connection with financial scamming through click
hijacking or Bitcoin Mining.

Whilst there was an increase in deception
tactics in 2013, certain activities actually fell.
Attacks on Java vulnerabilities decreased from 15% to 10%,
which Microsoft links to the arrest of a
suspected exploit kit operator
. There’s little
respite for Java users however – in 2013, almost 75 percent of all
attacks were by exploit kits targeting JRE

If all this talk of cyber criminals has put you
on edge, remember, attacks on Java server applications are in fact
still relatively rare. But, if you can, it pays to use the most
recent versions of Java (easier said than done in
some cases
) – and, as Microsoft reiterates,
check whether you need Java
in the browser
at all.

comments powered by Disqus